{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3605", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-05T16:37:23.520Z", "datePublished": "2026-04-17T02:44:42.032Z", "dateUpdated": "2026-04-17T17:57:55.431Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "0.10.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "lessThan": "2.0.0", "status": "affected", "version": "0.10.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "value": "This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>"}], "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126: Path Traversal"}]}], "metrics": [{"cvssV3_1": {"baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.431Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"}], "source": {"advisory": "HCSEC-2026-05", "discovery": "EXTERNAL"}, "title": "Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T13:20:23.015074Z", "id": "CVE-2026-3605", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T13:20:28.557Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T13:20:23.015074Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T13:20:25.836Z"}}], "cna": {"title": "Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service", "source": {"advisory": "HCSEC-2026-05", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "This issue was independently identified and reported by chungkn from OneMount Group, as well as Andy RUSSON et Gabriel DEPARTOUT from almond.eu , sponsored the ANSSI (French Cybersecurity Agency) open-source security audit program."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126: Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault", "versions": [{"status": "affected", "version": "0.10.0", "lessThan": "2.0.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault Enterprise", "versions": [{"status": "affected", "changes": [{"at": "1.19.16", "status": "unaffected"}, {"at": "1.20.10", "status": "unaffected"}, {"at": "1.21.5", "status": "unaffected"}], "version": "0.10.0", "lessThan": "2.0.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"}], "descriptions": [{"lang": "en", "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.", "supportingMedia": [{"type": "text/html", "value": "<p>An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.431Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3605", "state": "PUBLISHED", "dateUpdated": "2026-04-17T17:57:55.431Z", "dateReserved": "2026-03-05T16:37:23.520Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2026-04-17T02:44:42.032Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A10F062C-C575-44AF-B8A5-90E3BD34D2E7", "versionEndExcluding": "1.19.16", "versionStartIncluding": "0.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "8A5E6BEF-C182-4E5D-A908-2CD2F2437205", "versionEndExcluding": "2.0.0", "versionStartIncluding": "0.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E2135CCF-F6D8-41AC-8D0C-F763F63974B4", "versionEndExcluding": "1.20.10", "versionStartIncluding": "1.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C8097BD2-0B19-4BA7-930E-93A5A89EC4AF", "versionEndExcluding": "1.21.5", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16."}], "id": "CVE-2026-3605", "lastModified": "2026-04-25T18:08:13.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-17T04:16:03.263", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Vault: Vault: Denial of Service due to unauthorized secret deletion via policy bypass", "id": "2459105", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459105"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-639", "details": ["A flaw was found in Vault. An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write. This vulnerability can lead to a denial-of-service by allowing the deletion of critical data. It does not permit a malicious user to delete secrets across namespaces or read any secret data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3605", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-baremetal-installer-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-installer-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "mcg-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2026-04-17T02:44:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3605\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3605\nhttps://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault", "source": "cna", "vendor": "HashiCorp"}, "product": "vault", "vendor": "hashicorp"}, {"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.0,2.0.0)"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.19.16"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.20.10"}}, {"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "unaffected", "versions": {"scheme": "semver", "value": "1.21.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vault Enterprise", "source": "cna", "vendor": "HashiCorp"}, "product": "vault_enterprise", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-18T09:24:01.307028+00:00", "value": {"mitigation_remediation": ["Upgrade HashiCorp Vault Community Edition to version 2.0.0 or later.", "If using Vault Enterprise, upgrade to at least version 2.0.0, or to the patched releases 1.21.5, 1.20.10, or 1.19.16 if an upgrade to 2.0.0 is not immediately possible.", "Review and restrict glob patterns in policies to avoid granting delete permissions on kvv2 paths to users who do not need them, ensuring that delete capabilities are only granted to explicitly trusted roles."], "summary": {"action": "Patch Promptly", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "HashiCorp Vault Community Edition 2.0.0 and HashiCorp Vault Enterprise versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16 are affected by this policy bypass. Users running these releases without updating are exposed to the described deletion issue.", "description_and_impact": "An authentication and authorization flaw in HashiCorp Vault allows an authenticated user with a glob\u2011based policy on a kvv2 path to delete secrets they are not authorized to remove, which can cause downtime for the service. The vulnerability does not provide cross\u2011namespace deletion or allow reading of secret data; it is a denial\u2011of\u2011service scenario rooted in insufficient permission checks (CWE-288) and an authorization bypass through user\u2011controlled keys (CWE-639).", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity impact, and the EPSS score of <1% combined with a KEV absence suggests no known widespread exploitation yet, though the lack of delete permission restrictions makes the vulnerability readily exploitable in environments with misconfigured glob policies. The flaw stems from insufficient permission checks (CWE-288) and an authorization bypass through user\u2011controlled keys (CWE-639). An attacker must be authenticated and have policy access to the vulnerable path, but does not need any special administrative privileges beyond normal policy rights, increasing the likelihood of exploitation if privileges are misassigned."}}}}, "created": "2026-04-17T04:30:09.542395+00:00", "updated": "2026-04-18T09:30:25.689660+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$vault", "hashicorp$PRODUCT$vault_enterprise"]}